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ABSTRACT 

PAVE  (‘ Pilot  Assistant  in  the  Vicinity  of  hElipads  ")  is  a  global  research  project  conducted  under  the 
ONERA-DLR  common  research  programme. 

Several  new  technologies  are  now  available  for  helicopter  on-board  applications  which  have  potentialities 
to  support  the  pilot's  perception  and  decision  making.  The  technologies  addressed  in  the  frame  of  this 
project  include  an  advanced  flight  control  system,  calculation  of flight  envelope  limitations,  enhanced  and 
synthetic  vision,  mission  in-flight  planning  and  guidance.  In  order  to  obtain  actual  performance  and  safety 
benefits,  integration  of  these  technologies  is  one  of  the  key  issues  addressed  in  the  project. 

ONERA  is  especially  involved  in  the  development  of  a  particular  module  of  the  pilot  assistant,  called  the 
Flight  Execution  Monitor  (FEM). 

The  module  is  dedicated  to  the  monitoring  of  the  current  helicopter  situation  and  of  the  pilot's  procedural 
activity.  It  is  based  on  a  high  level  Petri  net  description  of  the  procedures,  derived  from  the  specifications 
of  the  flight  manual  and  from  interviews  with  the  users. 

This  Petri  net  description  is  used  to  monitor  the  execution  of  the  procedure,  to  graphically  display  the 
progress  of  the  helicopter  situation  and  also  to  provide  the  information  required  given  the  current 
situation,  including  some  flight  limitations  which  are  calculated  on  line  and  displayed  to  support  the 
pilot's  decision.  A  first  prototype  of  the  module  has  been  developed  and  implemented  in  a  man-in-the-loop 
simulation  environment. 

The  rationale  behind  the  concept,  the  architecture  of  the  current  prototype  and  the  possible  future 
directions  are  presented.  This  development  results  from  applied  research  on  control  execution  software; 
it  is  also  a  pragmatic  attempt  to  investigate  the  possible  alternatives  in  the  task  allocation  between  the 
human  operator  and  an  automated  system  such  as  the  modern  helicopter. 
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PAVE  Pilot  Assistant  in  the  Vicinity  of  hElipads 

PND  Petri  Net  Description 
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1.0  INTRODUCTION 
1.1  Context  of  the  Project 

PAVE  (“Pilot  Assistant  in  the  Vicinity  of  hElipads”)  is  a  global  research  project  conducted  under  the 
ONERA-DLR  common  research  programme.  The  project  was  historically  initiated  by  DLR  on  the  basis  of 
previous  research  work  for  civil  transport  applications  (Rataj,  Bender  &  Kohrs,  2000  and  2001).  ONERA 
joined  the  project  in  year  2000,  including  contribution  in  the  flight  mechanics  and  human  factors  research 
domains,  based  on  the  experience  gained  for  autonomous  systems  applications  (Barrouil  &  Lemaire, 
1999). 

Several  new  technologies  are  now  available  for  helicopter  on-board  applications  which  have  potentialities 
to  support  the  pilot’s  perception  and  decision  making.  The  technologies  addressed  in  the  frame  of  this 
project  include  an  advanced  flight  control  system,  calculation  of  flight  envelope  limitations,  enhanced  and 
synthetic  vision  displays,  in-flight  planning  and  guidance,  definition  of  low  noise  procedures  and  mission 
execution  monitoring  (Figure  1). 
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lhanced  Vision 


Terrain  Model 


Envelope  Protection 


Helipad  Image 


Flight  Path  Planning  &  Guidance 


ol  System 


Flii 


Petri  net  ProCoSA 


Flight  Execution  Monitor 


Figure  1:  The  Support  Functions  of  the  Assistance  System  (from  DLR). 


In  order  to  obtain  some  actual  performance  and  safety  improvements,  the  proper  integration  of  all  these 
technologies  to  constitute  the  assistance  system  is  one  of  the  key  issues  addressed  in  the  project. 
The  system  will  benefit  from  previous  assistant  systems  projects  (see  Winter  &  al.,  1997  for  a  review) 
and  it  will  make  use  of  a  generic  architecture  which  has  already  been  applied  and  evaluated  for  various 
applications  (Walsdorf  &  Onken,  1998). 

The  approach  is  based  on  the  now  well  established  principles  of  human  centred  automation  and  pilot 
assistance.  In  particular,  the  goal-oriented  interactions  of  the  human  operator  are  decomposed  into  the 
following  generic  functions  of  what  is  called  a  recognise-act  cycle  (AGARD,  1995): 
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•  Monitoring:  recognise  the  actual  state  of  the  world  and  compare  it  with  the  desired  state 
(which  corresponds  to  the  goal  of  the  interaction). 

•  Diagnosis:  analyse  the  deviations  of  actual  and  desired  state. 

•  Plan  generation  and  selection:  think  and  decide  about  the  actions  to  modify  the  state  of  the  world 
to  reach  the  desired  state. 

•  Plan  execution:  take  the  necessary  actions  to  change  the  state  of  the  world. 

1.2  Operational  Needs 

A  review  of  the  helicopter  safety  statistics  was  conducted  in  order  to  identify  the  possible  elements  and 
directions  for  safety  improvements  which  should  guide  the  design  of  a  generic  assistant  system. 
This  review  revealed  a  quite  different  profile  than  that  of  fixed  wing  aircraft. 

The  primary  division  in  helicopter  accidents  statistics  is  between  private  pilots  and  professional  pilots 
(Iseler  &  Maio,  2001).  This  fact  is  significant  of  the  well  known  positive  correlation  between  the 
regulation  of  an  activity,  the  level  of  the  operators’  proficiency  and  its  level  of  safety.  The  present  research 
project  is  intended  for  generic  applications,  although  it  makes  use  of  high  technology  equipment  and 
requires  the  availability  of  shared  data,  which  certainly  won’t  be  immediately  affordable  to  a  private  pilot. 

Among  the  professional  uses  of  the  helicopters,  and  due  to  the  low  altitude  and  versatile  characteristics  of 
their  missions,  it  appears  that  the  distribution  of  the  safety  events  is  quite  uniform  among  the  flight  phases, 
although  some  phases  may  appear  more  critical  when  more  specific  missions  are  considered  (e.g.  cruise  in 
EMS  missions,  maneuvers  in  aerial  application  missions,  ...).  This  fact  suggests  that  the  assistance  may  be 
worth  providing  during  the  whole  flight,  and  not  only  during  the  approach  phase. 

Human  error  or,  more  precisely,  judgement  error  is  often  cited  as  a  primary  cause  or  a  contributing  factor 
of  the  accidents.  This  error  denomination  remains  very  broad,  as  it  includes  estimation  errors  related  to 
visual  perception  as  well  as  representation  errors  or  over  confidence  in  the  basic  piloting  skills  under  bad 
weather  conditions.  Nevertheless,  it  suggests  that  safety  may  be  improved  by  an  active  support  of  the 
pilot’s  evaluation  of  the  flight  conditions  and  safety  margins. 


2.0  THE  CONCEPT  OF  FLIGHT  EXECUTION  MONITORING 

2.1  Keywords:  Automation  and  Assistance 

The  new  generation  helicopters  may  be  considered  as  automated  and  intelligent  systems,  as  they  are 
equipped  with  multi-modes  4-axes  autopilots,  elaborated  navigation  aids,  flight  management  systems  and 
electronic  check  list.  Automation  surprises  similar  to  those  of  fixed  wing  “glass  cockpit”  aircraft  have 
been  reported  (Harris,  1997). 

The  principles  and  general  models  which  are  used  as  guidelines  behind  the  concept  of  the  Flight  Execution 
Monitor  are  summarised  below. 

Although  automation  has  proved  efficient  to  improve  mission  performance  and  safety  to  the  current  level, 
several  possible  drawbacks  have  been  demonstrated:  poor  situational  awareness,  excessive  focus 
of  attention  when  reprogramming,  mode  confusion,  difficulty  of  manual  recovering,  and  impoverishment 
of  the  operator’s  knowledge  and  expertise,  due  to  the  lack  of  practice  of  manual  procedures 
(Amalberti,  1998). 
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The  principles  of  human  centred  automation  have  been  established  in  order  to  help  avoid  these  drawbacks. 
In  particular,  these  principles  include  the  respect  of  human  authority  and  of  human  ecology,  which  should 
preclude  to  the  design  of  an  assistant  system. 

The  ecological  safety  model  of  pilot’s  cognition  describes  the  dynamic  regulation  of  the  operator’s 
activity,  tuning  a  compromise  between  reaching  the  assigned  goals  with  the  required  objective 
performance  and  using  the  minimum  resources.  Three  main  solutions  are  identified,  which  are  used  by  the 
human  pilot  to  bypass  his/her  limitations  and  to  keep  the  situation  under  control:  mental  representation, 
planning  and  anticipation,  skills  and  behavioral  automation.  For  instance,  it  has  been  shown  that  the 
experienced  pilots  tend  to  invest  in  long  term  anticipation  as  long  as  the  situation  is  normal,  although  this 
is  sometimes  done  to  the  detriment  of  short  term  monitoring. 

In  the  design  of  an  assistance  system,  three  different  paradigms  for  human  machine  coupling  have  been 
described  (Amalberti  &  Deblon,  1992):  the  system  working  as  a  consultant  on  user  request,  as  a  partner  of 
a  cognitive  team,  or  as  a  permanent  critic  of  the  operator’s  decision.  The  last  is  thought  to  be  the  most 
promising  for  rapid  process  control.  In  order  to  favour  the  operator’s  acceptance  and  trust,  the  system 
should  provide  assistance  during  normal  conditions,  not  only  during  incidents,  and  it  should  be  based  on 
deep  knowledge,  such  as  the  physical  laws  governing  the  evolution  of  the  process.  Also,  as  such  a  system 
is  necessarily  imperfect,  solutions  should  be  proposed  rather  than  executed. 

2.2  Application  to  the  Concept  of  a  Flight  Execution  Monitor 

The  primary  task  of  the  human  operator,  according  to  the  recognise-act  cycle,  and  an  essential  task  for  the 
flight  crew  of  the  recent  automated  helicopter  is  to  monitor  the  ongoing  flight  progress.  For  instance, 
inadvertent  exceedances  of  the  flight  limitations  or  deviations  from  the  planned  trajectory  should  be 
detected  and  recognised  immediately. 

Given  the  existing  equipment,  several  developments  have  been  made  to  provide  the  pilot  with  the 
appropriate  navigation  aids  and  warnings  (for  instance  Gollnick,  2001),  and  so  to  effectively  participate  to 
the  short  term  monitoring  .  However,  these  developments  are  generally  based  on  calculation  algorithms  of 
the  trajectory,  rather  than  on  an  actual  description  of  the  flight  activity. 

The  principles  of  human  cognition  summarised  above  also  suggest  that  the  assistant  system  should 
primarily  focus  on  the  short  term  monitoring  of  the  system  and,  indirectly,  of  the  pilot’s  actions,  and  that 
the  system  should  try  to  implement  and  favour  the  human  skill-based  behaviour,  rather  than  the  more 
costly  rule-  or  knowledge-based  behaviours. 

A  concept  to  satisfy  these  requirements  is  to  provide  the  pilot  with  an  overview  of  the  current  status  of  the 
helicopter  within  the  assigned  current  procedure,  using  a  representation  familiar  to  the  pilot  and  including 
the  safety  limitations.  As  such,  the  concept  should  participate  to  the  pilot’s  situation  assessment  and 
awareness,  rather  than  replacing  him/her. 

Within  this  concept,  a  module  called  the  Flight  Execution  Monitor  (FEM)  has  been  integrated  in  the 
PAVE  project  (Figure  2).  This  module  is  built  around  a  goal -based  description  of  the  flight  activity,  using 
the  formalism  of  Petri  nets,  because  of  their  ability  to  mimic  the  skill-based  behaviour  of  a  human 
operator.  The  module  is  intended  to  work  as  an  independent  process,  calling  the  available  helicopter 
information  sources  as  required  for  monitoring,  and  making  use  of  complementary  servers  for  the 
necessary  calculation  and  display  of  the  results. 
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Figure  2:  The  FEM  as  a  Support  of  the  Pilot’s  Short  Term  Monitoring. 


3.0  DESCRIPTION  OF  THE  FEM  MODULE 

3.1  Petri  Net  Description  of  the  Activity 

The  formalism  of  Petri  nets  was  chosen  to  model  the  pilot’s  activity  because  of  their  ability  to  mimic  the 
skill-based  behaviour  of  a  human  operator.  They  are  especially  adapted  to  represent  the  dynamic 
behaviour  of  discrete  systems  -  such  as  a  piloting  procedure-  and  to  express  the  parallelism  and  the 
synchronisation  of  the  shared  resources.  Their  simple  graphical  representation  makes  them  easy  to 
understand  by  domain  experts,  providing  that  the  wording  and  the  mission  decomposition  are  based  on 
their  own  description  of  the  activity.  Last  but  not  least,  the  Petri  net  theory  provides  the  possibility  for 
formal  validation  of  the  Petri  nets,  which  appears  to  be  a  desirable  feature  of  any  software  candidate  to 
certification. 

Petri  nets  have  already  been  used  to  model  the  production  rules  typical  of  a  pilot’s  behaviour  in  other 
applications  (e.g.  Onken,  1995). 

The  Petri  nets  description  (PND)  of  the  pilot’s  activity  during  a  generic  mission  have  been  generated  on 
the  basis  on  the  information  provided  by  the  flight  manual  of  the  two  engines  Dauphin  helicopter. 
The  generic  mission  is  classically  decomposed  under  phases  and  sub  phases,  from  the  preliminary  ground 
verification  to  the  engine  shut  down.  Some  of  the  main  take-off  and  landing  procedures  have  been 
described,  including  the  procedures  on  confined  areas  and  with  one  engine  inoperative  (OEI). 
This  mission  decomposition  was  further  refined  by  means  of  interviews  of  a  flight  test  pilot,  and  was 
formalised  into  a  hierarchical  structure  of  Petri  nets  as  shown  on  Figure  3. 
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Figure  3:  The  Structure  of  Petri  Nets  Describing  a  Generic  Mission. 


Once  the  decomposition  of  the  mission  as  a  structure  of  Petri  nets  has  been  achieved,  each  mission  phase 
is  translated  as  a  Petri  net,  down  to  the  elementary  parameter  values  used  for  monitoring.  The  Petri  net 
description  of  the  landing  procedure  is  given  as  an  example  on  Figure  4.  The  places  named  in  italics 
correspond  to  a  sub  Petri  net. 


Figure  4:  The  Petri  Net  Description  of  a  Landing  Procedure. 


Behind  this  Petri  net  graph,  the  events  required  for  firing  and  the  actions  attached  to  each  transition  have 
to  be  specified.  The  actions  may  be  directed  either  to  a  server  or  to  a  sub  net  and  they  may  include  some 
arguments. 


3.2  Tools  and  Architecture 

The  first  prototype  of  the  FEM  module  has  been  developed,  making  use  of  a  software  called  ProCoSA 
which  is  developed  at  ONERA.  This  software  has  already  been  applied  to  the  execution  control  of 
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autonomous  vehicles;  it  allows  an  easy  design  of  the  Petri  nets  and  their  implementation  for  real  time  on 
board  applications. 


ProCoSA  is  in  fact  composed  of  the  three  following  tools: 

•  EdiPet  is  an  interactive  Petri  net  editor  (Figure  5),  which  is  used  off-line  in  order  to  graphically 
design  the  places,  transitions  and  arrows  which  constitute  the  Petri  nets,  together  with  their 
corresponding  actions,  events  and  related  servers; 
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Figure  5:  The  Interactive  Petri  Net  Editor  ‘EdiPet’. 


•  The  Petri  net  player  is  an  independent  software  which  actually  interprets  and  controls  the 
behaviour  of  the  Petri  nets  in  their  real  time  environment;  it  also  enables  interactive  transition 
firing  for  the  purpose  of  the  Petri  net  debugging. 

•  VisuPet  is  the  interface  software  behind  EdiPet  which  allows  the  visualisation  of  the  Petri  nets 
behaviour  (places  marking)  when  they  are  activated. 

The  global  architecture  of  the  FEM  module  within  the  simulation  environment  is  described  on  Figure  6. 


Figure  6:  The  Global  FEM  Module  and  Simulation  Architecture. 
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The  core  of  the  FEM  module  is  composed  of  the  hierarchical  structure  of  Petri  nets  implemented  under 
ProCoSA,  which  is  working  as  an  independent  process.  ProCoSA  communicates  with  different  servers  by 
the  way  of  an  intranet.  Each  server  is  also  an  independent  process,  written  in  the  C  language,  which  has 
access  to  common  information  via  shared  memories. 

One  server  is  dedicated  to  the  collection  of  system  information  as  required  for  monitoring,  one  is  used  to 
control  the  FEM  interface  as  commanded  by  ProCoSA,  and  other  servers  are  used  for  on-line  calculations 
which  cannot  be  easily  implemented  as  Petri  nets,  such  as  the  calculation  of  the  maximum  landing  weight 
as  a  function  of  the  actual  landing  conditions. 

3.3  The  User  Interface 

When  the  FEM  module  is  running,  the  Petri  net  graph  allows  a  direct  understanding  of  the  current 
helicopter  situation,  by  following  the  marked  places  (coloured  in  red  on  Figure  4).  This  presentation  of  the 
current  situation  is  useful  for  the  Petri  net  designer  in  order  to  check  the  correct  functioning  of  the  system. 
However,  the  Petri  net  marking  is  discrete  by  nature,  which  makes  it  of  small  benefit  for  the  use  of  the 
pilot:  the  evolution  of  the  procedure  may  be  either  too  fast  for  the  markings  to  be  displayed,  or  on  the 
opposite,  it  may  be  too  slow  and  the  display  may  remain  static  and  non  informative. 

This  is  the  reason  why  a  specific  graphical  interface  has  been  developed.  This  interface  is  controlled  by 
the  way  of  actions  sent  by  the  Petri  net  and  have  also  access  to  the  shared  flight  data.  It  may  receive  the 
pilot’s  input  for  choices  and  confirmations.  Different  pages  related  to  the  different  possible  mission  phases 
are  available,  including  checklist  pages  and  procedures  descriptions  similar  to  those  of  the  flight  manual: 
the  page  related  to  the  landing  procedure  is  presented  on  Figure  7. 


Figure  7:  An  Example  Page  of  the  Interface  Controlled  by  the  Petri  Net  Player. 


This  type  of  adaptive  interface  is  a  first  prototype,  trying  to  take  advantage  of  the  specific  features  of  the 
Petri  net  graphs:  it  requires  extra  test  and  validation  before  being  considered  for  introduction  in  the 
cockpit.  In  particular,  the  appropriate  necessary  inputs  from  the  pilot  and  the  warning  or  caution  signals 
have  to  be  determined,  taking  into  account  the  existing  cockpit  design. 
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4.0  CONCLUSION 

A  preliminary  development  of  a  Flight  Execution  Monitor  has  been  conducted  as  part  of  an  assistance 
system  for  the  helicopter  pilot.  This  development  based  on  the  formalism  of  Petri  nets  using  a  tool  already 
validated  for  real-time  on-board  applications  appears  to  be  a  promising  concept,  as  it  provides  an  evolutive 
description  of  the  mission  similar  to  the  pilots’  usual  representation  of  their  mission. 

Further  work  is  necessary  to  validate  the  Petri  net  descriptions  using  both  formal  analysis  methods  and 
piloted  simulation  and  to  integrate  the  FEM  module  with  the  other  components  and  available  information 
sources  in  the  frame  of  the  PAVE  project,  based  on  a  design  philosophy  respecting  the  principles  of 
human  cognition. 

Special  thanks  to  the  students  Pascale  Bourlier  and  Sebastien  Habert  who  developed  the  first  prototypes 
of  the  system  and  also  to  my  colleague  Nicolas  Maille  for  his  support. 
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